[Bug 1945072] Re: getaddrinfo crashes on negative answers after Truncated retry

Wed Sep 29 00:31:27 UTC 2021

In trying to do the work requested for the report, it took a different
turn.  General sequence is still correct, with the following caveat:

- our DNS server added a CNAME record to the truncated UDP reply,
bringing the size to over 512 bytes

The response is well formed, just too big.  Since getaddrinfo never asks
with EDNS, this is not correct and we must fix it - but getaddrifo
shouldn't core on it.  The crash happens downstream of this when the TCP
replies come in, but only sometimes.  I suspect a buffer overrun of some
sort.

If you don't see it through inspection, I will add a pcap.  Might be
possible to replay it or something.  The query which gives such a large
truncated reply is

dig www.iiflstatements.com +ignore +notcp +noedns +qr

which comes in at 502 bytes.  We add a CNAME as the first record in the
answer section, which brings it to 636 bytes.  We will try to do a
little more work to see if we can make it repeatable.

Recap:

- getaddrinfo makes two requests, A and AAAA, using UDP and no EDNS
- At least one of the replies to the two requests is truncated
  - The truncated reply has a size greater than 512 bytes, otherwise error-free
- getaddrinfo makes two additional requests, A and AAAA, using TCP
- At least one of the the replies to the two TCP requests has an empty answer section
  - For example, the response comes back with a REFUSED or SERVFAIL

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1945072

Title:
  getaddrinfo crashes on negative answers after Truncated retry

Status in glibc package in Ubuntu:
  New

Bug description:

  Programs using getaddrinfo will segfault downstack of the call in limited circumstances.

  We have limited this crash to a specific situation, some of these
  details may not be relevant to the problem but are included in case
  they are:

  - getaddrinfo makes two requests, A and AAAA, using UDP
  - At least one of the replies to the two requests is truncated
  - getaddrinfo makes two additional requests, A and AAAA, using TCP
  - At least one of the the replies to the two TCP requests has an empty answer section
    - For example, the response comes back with a REFUSED or SERVFAIL
    - Even a NOERROR with an empty answer section will cause this crash

  Sample gai call:

    struct addrinfo* results;
    int ec = getaddrinfo(host.c_str(), "", nullptr, &results);

  This is difficult to reproduce without being able to control the replies yourself since downstream must give a negative answer on the TCP after answering the UDP.  (This can happen, the downstream server can decide not to answer for any number of policy reasons.)

  Using 18.04.5.  glibc version is 2.27.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1945072/+subscriptions